Author: Dan Billing

NB: This blog post is adapted from one I wrote for an internal blog post at work, so it has been sanitised for content.

When learning new things, ideas, skills or exploring new perspectives, the image above reflects how I am feeling when I am trying to assimilate and process all the activities I take part in within the testing community. It’s that beautiful and terrifying moment when you are flying and the sun is ablaze on the horizon. It’s knowing you’ve learned a lot, but there is so much left to learn. Perhaps a move one way or another will lead to failure, but as long as you are quick to learn from those mistakes you can be on a well-lit path again.

Over the last month or so I’ve been attending a few events, including ITAKE Unconference in Bucharest, Romania, Let’s Test in Stockholm, Sweden and Nordic Testing Days in Tallinn, Estonia. Each of these events offered something new and different for myself as a contributor to those events. However, it is the other aspects of what they provide that are important.

ITAKE Unconference

ITAKE Unconference was my first time giving a Keynote talk at a conference. This was a huge honour not just to be asked to give a talk, but also the fact that it wasn’t a testing conference. ITAKE is a developer conference. Every attendee is highly technical, lives and breathes the code they write and the tools they use. It made me realise that whilst I have spent a lot of time learning about security, there is so much else to learn. Especially about how developers learn and work, and how applications are crafted.

I spent hours talking about how to build good environments for testing using tools like Docker and Heroku, or exploring how developers think about testing. A lot of it is about unit testing, some of it is about automation. But there are a lot of developers who understand the value of good testing and want to work with testers to make it happen. There is a lot we can do better to support them in this endeavour. These are things we should be doing at Medidata…testing cannot happen or exist in a vacuum.

Yes, there were those that think the role of testing or testers is now defunct, where a technical person can achieve all things they need to on a project. It was interesting to be able to discuss and challenge some of that thinking, where a tester can be a specialist or advocate for testing on their project; rather than someone who executes tests, gathers test results and creates endless meaningless reports. I’m not saying reporting is bad, just the doing the wrong reporting is bad, and unhelpful. It doesn’t add value, nor does it explain to those who don’t test what the value of the testing is.

ITAKE is a hotbed of software craftspeople. People who want to build and develop great software for their customers and clients. The best talk I went to while I was there was one of the other keynotes. Felienne Hermans, of the Netherlands, gave a talk called:

This reflected on her approaches to teaching coding to children. Children learn predominately through play, exploring their environment, and asking questions. It’s something that adults have largely forgotten how to do, or if we haven’t has become more formalised. We’ve turned play and learning into work instead. We can make our learning far more creative through events such as hackathons. We should review, model and landscape our applications inside the environment we are working in. Children do this far more naturally than (some) adults.

She also talks about introducing children to the scientific method, how we observe behaviour, theorise about why the behaviour occurs and make a hypothesis, and then on to experiment in order to prove/disprove that hypothesis. This can be applied to coding as much as any branch of science or other learning.

Let’s Test Sweden

This was a bittersweet event for me. This was my third visit to Let’s Test in as many years, but sadly it will be the last ever Let’s Test in Sweden. The organisers have decided to call it a day. This edition of Let’s Test had a distinctly technical focus, with each session being a three-hour workshop, held over two days.

I ran a workshop called Web Application Security, a Hands On Testing Challenge. We have Security Awareness Training in-house, which covers many of the techniques and tools of security testing, so this follows a similar path. Given the time and space in the office, we should be able to make this learning much more hands on. I try and provide a safe space for the attendees to find problems and ask questions about the application under test so that they can also talk with confidence about security in their own environments.

I attended a number of other workshops, including Alan Richardson’s Evil Tester’s Testing Games of Evil Testing. In this workshop, Alan introduced us to how we can use simple tools such as the browser developer tools to interact with simple JavaScript, API clients and HTTP requests to give us a competitive advantage in debugging web based games.

Whilst the topic might sound trivial, the application and usage of these tools are crucial for testing and debugging modern web applications. Browser based development tools will allow us to do so many useful things:

Viewing the source, both HTML and JavaScript

Debugging JavaScript, via the Console

Tampering HTTP requests

Testing REST services from the browser

Custom headers

Throttling application performance

Emulating other browsers, devices and screen resolutions

During the workshop, we played the games to understand them and their gameplay. We found bugs and fixed them, we wrote code and created cheats to make it easier to win, get massively high scores or infinite lives.

One of the other workshops I attended was Aare Nurm’s Pedal to the Metal. Aare hails from Estonia. His workshop was a fantastic, practical exploration of how software and hardware combine to make products, solving problems and exploring how stakeholder demands can cause issues and constraints with your testing, and how your testing value is perceived and acted upon.

We were given the exercise to test a keyfob for a new kind of car that was coming on the market. We didn’t have access to the vehicle, but only to a prototype to the keyfob. We needed to utilise all our testing savvy to come up with test ideas, find problems, analyse logs and even fix the issues ourselves.

Essentially the keyfob was a Raspberry Pi Zero, with a pin board and wires which could be configured to give different settings. We also had a set of LED’s which would flash according to the function the keyfob was supposed to be executing, including:

Unlock the car

Lock the car

Remote closing the windows

Activating the headlights

Remote boot/trunk opening

Start the engine

We initially observed the behaviour of the keyfob in order to determine it’s function. We were given minimal, but rapidly changing requirements not only for the product but also the business. Essentially if the car failed in the market, the company would go out of business. Hardware and software are so entwined, that even if the product is solid, well made and easy to use if the underlying software architecture is poorly implemented, this can result in a poor customer experience.

Here with my workshop partner Phil, you can observe our testing and learning. This was honestly one of the best learning experiences of my life. Check out the videos here:

Nordic Testing Days

I’ve run testing events before, such as South West Test in Bristol, and SWEWT (South West Exploratory Workshop in Testing). Never before have I helped to run a conference. Nordic Testing Days 2017 was my first adventure in being a conference organiser. It’s hard work, let me tell you.

I’ve been lucky enough to speak at every Nordic Testing Days since 2014, on both using emotional heuristics in our testing, and security testing. Last year I decided not to submit again, to allow new voices to be heard. However, the organisers asked me if I wanted to be a part of the team for 2017. This responsibility came with all sorts of challenges, including organising the venue, social events, curating and selecting the content from the call for papers, interviewing the prospective speakers, organising and facilitating tutorials and talks, as well as solving logistical problems and finding replacement speakers for those that couldn’t make it.

I had the pleasure of facilitating Fiona Charle’s tutorial The Art & Science of Test Heuristics. In this session, we were tasked with coming up with test ideas for two different scenarios, interspersed with both group activities and discussion in the round.

The first activity was to generate test ideas for a number of different puzzle games, such as SmartGames IQ Steps and IQ Fit. The task was to not only solve the puzzles but also identify and utilise heuristics for solving the problems that the puzzles posed. Many questions needed to be asked, including how many ways could we solve the puzzle, what problems or issues did we identify when solving the problem, what oracles can we use when solving the problems? It was no easy task, and one of the teams gave a massive cheer when they eventually solved their puzzle.

The second activity was to generate test ideas from this video:

How many test ideas can you come up with to test the Oh Canada Beer Fridge? The main takeaway from this workshop for me was looking at heuristics as a tool to generate great testing ideas. It’s a complex problem, with no one size fits all solution. Test ideas are our life blood, by being the fuel for our learning and our ability to do our work.

Solving a problem of learning

I’d like to introduce you to a little project that David Hatanian and I have been working on. David is a member of the fantastic team at Codurance, and we first started working together on this project in February 2016.

Following my experiences at European Testing Conference in Bucharest, I realised the time had come for me to create and build my own vulnerable application. This was so that I would be able to run my own workshops on security testing, coach my colleagues and other testers aswell as demonstrating vulnerabilities; such as the OWASP Top 10.

I also worked closely with Bill Matthews, initially shadowing him, but then helping him to deliver workshops at international conferences. For these workshops, he built his own web application, Ace Encounters, which is a travel and wild adventure website.

Of course, using a real world application to practice these skills is highly illegal. So, students of security testing need a safe place to practice and learn. We aren’t hackers after all, we are testers. We aren’t there to steal, undermine or attack. We are there to explore and learn.

Pairing with David has been incredibly rewarding for us both. I’ve supported him with his understanding of security vulnerabilities, and he has supported me with my learning of object orientated programming (in this case Java).

A couple of months ago I ran a session using Ticket Magpie, for the testers at NewVoiceMedia. The session was well received, and everyone appeared to have fun. The team there are really great at generating interesting test ideas, developing their skills, and following through with practical application of their learning. Taking this out into the wider community of testers was to be the next step, at Test Masters Academy.

Get Ticket Magpie

Ticket Magpie is easy to get, from David’s Github project. Check it out here and follow the instructions on the page. Here is some additional installation guidance.

Running TicketMagpie

If you are successful, your browser should display the application, and it should look like this:

Ticket Magpie

Bug Hunt

I invite you to have a go at exploring Ticket Magpie. There are some fun features for you to take a look at. I’m not going to spoil things for you by listing everything here. You might also find some interesting problems.

Because the application runs on your local machine, docker or VM, you can use any technique, tool and gnarly hack you want, without harming anything or anyone else.

Take your time and let me know what you think. If you feel the need, you are welcome to use this form to provide feedback about the application: Ticket Magpie Survey. Alternatively, just message me on Twitter, or comment on this blog.

We’re all on a continuum. Life will take you in all sorts of strange directions, be it professionally or personally. These are some reflections on some of the goings on I have experienced recently.

Goodbyeee

Going over the top… Blackadder: Goodbyeee Copyright BBC (1989)

Up till the end of September, I had been working at NewVoiceMedia for nearly three years, initially as a contractor, and then latterly as a permanent member of the development team.

It was an incredible time. The opportunities that working at NVM afforded me were huge. Learning new skills, particularly in security testing, and working within strong, fast paced, agile (Agile) teams.

I thank everyone that I worked with at that time, especially Rob Lambert for giving me that chance, and enabling great testing and work in general.

I want to be a part of it…

New York. My first visit to this incredible city afforded me many great opportunities for learning, as much about being a citizen of the world (which Theresa May insists that I am not), than it was about anything else. Whilst the traffic, noise and hubbub are all consuming and sometimes overwhelming, especially in Manhattan, there is a sense of energy that I have felt that is unlike any other city.

I was there for Test Masters Academy, which was organised by Anna Royzman. Whilst I have presented workshops and talks on the subject of security testing before, this was my first time presenting in the United States. Also, this was the first time presenting using a tool that I had helped to build myself.

I came to a conclusion earlier in the year, following European Testing Conference in Bucharest. I needed to step up my game. The best workshops I had been to had been well planned, with great resources and learning opportunities. The course teacher had often created or supplied applications for the attendees to explore and test. I needed to do the same.

At ETC I met Franziska Sauerwien, of Codurance, who put me in touch with the Software Craftsmanship Slack group. There I paired up with Java developer David Hatanian, also of Codurance. Together, we created Ticket Magpie, a vulnerable web application written in Java. (More on Ticket Magpie in a future blog post)

Ticket Magpie

During the workshop, a few technical issues were to be had regarding deployment and hosting of the application on the attendees laptops. I wasn’t to be deterred, and adapted using a couple of publicly available web based vulnerable applications.

However, I quickly found that basing the content solely upon a list of well known application vulnerabilities was a mistake. It’s more important to understand the concepts of security testing rather than the vulnerabilities, without a framework in which to understand them, and the skills to explore them. This realisation was further clear to me after discussing them with Maaret Pyhäjärvi, and having a post mortem discussion with Jess Ingrassellino at the conference.

Future workshops will be supported by Ticket Magpie being deployable via a stable Docker Hub image, rather than relying on Virtual Box images, or attendees setting up the system themselves. Also there will be more of a focus on the techniques and skills of security testing, rather than just vulnerabilities.

New Pastures

This is now the beginning of my second week at Medidata. This is a new way forward for me in a number of ways. It’s my first time working in the medical and life sciences sector. Medidata build cloud platforms for their clients to manage clinical trials on new drugs and treatments. There is a lot of new domain knowledge to learn, people to meet and company culture to become a part of. It’s exciting.

Next, and this is often the tricky part…adapting to a new role. I have come from a role where I focussed predominantly on the security testing needs of the business. The objectives were to support the team with my security knowledge, plan and execute penetration testing against our services, as well as provide coaching and mentoring to my peers on the topic.

My new role has somewhat a broader remit. It’s not focussed solely on security for a start, which means I’ll get to re-explore other aspects of the testing craft. This is exciting to me. I’ll be working at a more strategic level, supporting the testers, test managers, senior management and other team members across the entire business, globally. They’ll be opportunities for training, coaching and mentoring too! I can’t wait to get my teeth stuck in to it!

Another great aspect of this, is my new commute. Now, I could complain about the cost of the British rail network. It’s one of the oldest in the world, but it does run, and usually gets me to London on time. My commute is usually between 90-120 mins each way, which affords me a great deal of time for reading, learning, and maybe catch up on some work. (Sure, I’ll probably sneak in an episode or two of my favourite TV show, or have a nap if I need one).

Time is a great resource. We shouldn’t waste it. If I’m going to spend up to four hours a day in a tin can, I’m not going to squander it.

A change in focus

I was lucky enough to be invited to MEWT (Midlands Exploratory Workshop in Testing) last weekend (9/4/2016). The theme was professionalism, or professional testing. Unfortunately I was unable to give my presentation, due to a lack of votes and time. Fortunately however, many of the themes and issues I wanted to share did get exposed during the subsequent session discussions. Whilst I won’t reel through a list of the talks, the content and the discussion I do want to present my thinking on my role, which has been changing from what could be termed a testing generalist towards more specialised testing.

At NewVoiceMedia we have recently formed a security team, of which I am the application security testing lead. This move has taken some time, as the corporate focus on security has matured and developed over the last few years. Whilst previously I was part of a feature team, creating products, testing features and functionality; I am now leading the charge on application security across this business.

Not only will I continue testing to a certain capacity, but also work alongside my colleagues to ensure that their features also have appropriate levels of discussion, learning and testing around the security of our products. I also need to work with the CTO, Security Officer and the other engineers on my team to raise the awareness of security matters, tailoring the content to each of the departments at NewVoiceMedia.

Professional or professional testing?

During the discussions at MEWT, we talked about what it meant to be professional testers, both with a small and big P. The focus shifted and flowed around roles and responsibilities, ethics, certification, communication, learning, models and skills. It was a challenging discussion with some deep thinking and debate throughout.

One aspect though stuck particularly with me. Abby Bangser led a discussion on what it meant for her to be a “Full Stack Tester”. This, and I am happy to be stand corrected if my interpretation is inaccurate, is Abby’s view on what it means to be a tester that is able to see and operate across not only the technical stack, but also across the business. Essentially being able to approach, think and help solve any problem that a tester might encounter. Abby herself aims to be “the worlds best rubber ducky”. (A reference to the technique by which a programmer explains their code line by line to another person, maybe a tester or programmer, or even an inanimate object: Wikipedia: Rubber Duck Debugging, Book: The Pragmatic Programmer: From Journeyman to Master; Andrew Hunt, David Thomas)

During this discussion, amongst many others, we hit upon what skills testers need to do their job. The exploration and development of skills beyond that of testing appear to be essential for us to maintain our ability to be professional testers in a rapidly changing business and technical landscape.

It is also clear that whilst technical skills are, and should be, important, they aren’t the whole story. Testers, of whatever flavour, cannot work in isolation of their business context. We need skills that go beyond our technical knowledge and delve deeply into our business domains.

Bill Matthew’s reflected on Iain McCowatt’s statement that he prefers testing as an activity, rather than testers as a role or profession – as he see’s a problem with some of the dogma surfacing in the testing community.

"Testing over testers" & "Testing as a Profession is a bad idea but Professional Testing is a good idea" key points from @imccowatt#MEWT

Is there a problem with my T-Shape?

Which takes me to the issue I wanted to share with you here. You can find specialists in almost all walks to life, any profession, vocation, workplace and context. As I’ve previously mentioned, my main focus at work is both security testing and corporate security awareness.

Outside work I am a Scout Leader, but I specialise in running activities for the Cub Scout section – children who are ages eight to ten and a half. I occasionally help out in other areas of Scouting also. I’ve planned and led multi activity sessions, camps and Scouting ceremonies for many children and other adult leaders.

My great-grandfather, who was a Church of Ireland and Church of England minister was also a head teacher at a school in Bath. One could argue that being a clergyman is both vocation and profession. Some might argue that teaching could be thought of in the same way.

My maternal grandfather was also a clergyman, but also a community builder. One of his first parish assignments was in Lewisham, South East London, in 1943. This was of course during the World War Two, and the Blitz, one of the darkest times in the history of the United Kingdom. Alongside my grandmother, he helped keep his community together during a terribly difficult time.

The T-shaped people in my family don’t stop there. My mother, Jocelyn, is not only a nurse, but is also an acute cancer care specialist. She is trained and practices specifically in caring for patients with urological cancers, as well as palliative care.

Jocelyn Jaun – specialist cancer care nurse, and my Mum!

So, what’s the problem here? Well, as I have deepened my skills in security testing and other matters around security, I have found that my career has shifted to focus on security almost entirely. That has presented some issues. Here is a summary of them:

The Positives:

Learn from great people

Deep skill development

Seen as an SME

Leader in the security space

Championing security across the business

Coaching other testers

More value to the community

The Negatives:

Bus factor of one – can create bottlenecks and issues around dependencies

Potential stagnation

Less time for learning as there are large demands on my time

Competing priorities – security isn’t at the top of everyone’s list

Concerned that I’m not developing other valuable skills

Worried that my t-shape is becoming unbalanced, or doesn’t always fit

All of these issues above are within my control to exploit, or challenge and manage. Let me focus on the specifics of this change in focus.

Firstly, It means that I’m no longer working with my previous feature team. I had developed a good working relationship with that team, and it was really difficult to transition from a close knit team who were co-located, to a more loosely formed team, who aren’t co-located, and where I’m almost autonomous. It means being more reliant on myself to get things done, rather than feeling able to support others or get support for myself when I need it. I know this isn’t strictly true, my colleagues are great and always willing to help a fellow team mate solve a problem. (Danny Dainton is a great example of this)

Secondly, becoming a bottleneck is and can be a problem. I’m still responsible for managing, planning and executing security testing across the whole business. People come to me if they need some security testing being done, but what we are working towards is each feature team taking responsibility for the security testing they need to do. Ultimately I am only one person. I can’t do everything, and sometimes I need a holiday. So to help with this I consult with each team, share ideas and knowledge, organise training, and pair with developers and testers to solve problems.

I’m one of many test engineers and development engineers, but I’m the only one of my team who has developed a deep focus in this area of testing. Many of my other colleagues have other interests and responsibilities – management and coaching, UX and design, automation, scrum-mastery, release co-ordination and regression testing, building tools and other useful things…the list goes on. It means that my t-shape can fit in with other peoples t-shape. If I don’t have the skills needed to complete a task, someone else will, and I can learn from them.

Take a look at what some folks have said about T-Shaped people, and specifically T-shaped testers.

Solving the problem

This last week has been Hackathon time at NewVoiceMedia. We get a good slice of time every few months to work on projects that are outside of our roadmaps, but that will add value to our teams, our processes and our business. It also helps with broadening and deepening your skills in all sorts of areas.

This week I’ve been involved in a coding workshop led by three of my development colleagues. Some of us were developing our C# skills, others were developing their Python or Ruby skills. I chose Python myself as it integrates well with one of the tools I use for security testing: Zed Attack Proxy from OWASP.

In the end I was able to run a ZAP scan, generate an XML report from ZAP, parse that report into JSON and then push it to a static HTML page. This is part of my aim to get security testing into our CI processes. I’ll write in more detail about this in a future post.

So whilst I might be doing less testing in future, I am still a tester. Whilst I am deepening existing skills, or adding new skills that can and will be useful. I will still have that broad range of skills that might identify me as a tester. It’s up to me to embrace the change that is happening and work with it, rather than focusing on the negative. That way I can remain relevant, valuable to my team, business and customers – and ultimately fulfill myself in my work.

I want to thank the MEWT 5 team and attendees for a great day of discussion and learning. Signing off!

So another year has come around, and TestBash has come and gone. What was initially planned as a series of posts around TestBash and the Rapid Software Testing course didn’t come to be, due to an unforeseen technical hitch. So instead, this is my response to the events in Brighton last week. My annual pilgrimage to Brighton for TestBash had an extra few dimensions than usually just attending workshops and the coference day

Rapid Software Testing with Michael Bolton

So as I mentioned in my last post I was about to embark on the journey into Rapid Software Testing, on this occasion led by Michael Bolton. I’ve followed Michael’s (and James Bach’s) work for some time now, like a lot of testers who identify as context driven. I’ve been using many of the techniques, models and approaches to testing that RST champions for a while; mostly via learning from others, reading and applying techniques in practice. I have however not undertaken the course before now.

RST with Michael Bolton – March 2016

However the greatest impact upon my life as a tester was being able to talk and discuss the thinking around it with one of the authors themselves. It gave the the concepts, thinking and knowledge the practical grounding it needed, framing it within the discourse with Michael. A most rewarding experience. Now the unusual thing was that not only was I attending and learning at RST, but I was also facilitating on behalf of the Ministry of Testing. That meant that my primary concern was to the needs of the group and the coach. So balancing my needs and those of the group was challenging.

We discussed heuristics, oracles and models for testing in extreme depth, at least within the time allowed. We explored and practiced techniques for deep learning, exploration and test design and strategy. We would often revisit, review and tune our thinking on each topic, where Michael fed in to our learning, but responded actively to questions and responses, challenging and exploring each one in depth.

Here for example is one of the initial activities we did. A 15 min charter using the “Triangles” application. Here are my notes, capturing what I explored and discovered with my partner.

As a tester, I wanted to observe how the triangles application recorded data, inputs and outputs in the system:

We entered a range of values and inputs in to triangles.

Integers

Decimals

Negative

We observed that a text file, triangles.txt was created by the application

Bug – the triangles.txt file is written to the folder above the application folder, so /thingstotest not /thingstotest/triangle

Bug – when we entered values into triangles, there was no feedback on the values, just the shapes.

Bug –

SIDEA: -1

SIDEB: 2-

SIDEC: 1

TYPE: X

SIDEA.ERROR: ILLEGAL CHARACTER

SIDEB.ERROR: ILLEGAL CHARACTER

These illegal characters are not fed back to the user in UI, so they don’t know what is or isn’t an illegal value. Not enough information is presented to the user.

Now, the triangle application was one I had been familiar with for a while, thanks to a great session at the office led by Chris Simms (@kinofrost on Twitter). My familiarity was not the point here. I reviewed my notes from that session, and they were different interms of info captured. I also had more time available in a lunchtime session. We had the opportunity to dig deep and produce some good work, some good testing in both sessions, but recognising the limited time we had is a factor that will need to be applied in all testing sessions.

Triangles is a fairly simple application. You enter three variables for the size and shape, and it responds with the type of triangle and an appropriate image of the shape. It also has a log file which records the values entered, and the application responses. The depth of the groups testing belies the simplicity of the application under test. Each group found different problems and further questions to ask, there were also many overlaps in our observations. However the learning was being blue to design testing on the fly, with little or no prior information. Easy, right?

Well, no, not easy. Asking good questions is never easy. And that’s the whole point of RST, I feel. A lot of traditional testing practice expects us to read documents, write documents and write test scripts. Testing through those approaches appears to be somewhat of an afterthought.

RST challenges us to ask good questions. Through asking and answering good questions we develop good testing ideas, strategies and approaches. The documentation becomes the notes we take, or in our case the mind maps we captured in another session. Our advocacy and responsibility for our testing and the products of our testing are at the heart of what RST is to me.

Below are some notes from the team, captured during the course. Bearing in mind that these are incomplete and a work in progress. They do have problems of ‘translational’ and ‘transactional’ awareness between the group, the coach (Micheal) and me (the scribe). Trying to capture people’s thoughts and learning is really hard, especially in large and vocal groups. The handwriting is mine, but this is the work of the whole group.

RST – Heuristics and Oracles

RST – Properties of Good Bug Reports

RST – PEOPLE WORKING – a mnemonic for problem reporting

RST – Some testing models

There is a lot to digest and process from RST, probably too much to share in a busy blog post. In summary, RST was an incredible experience. It has afforded me the opportunity for me to both challenge and consolidate my existing learning, enhance my note taking and observation skills whilst testing. It’s also allowed me through facilitation to place a greater priority on the learning experience of my colleagues than that of my own. It was hugely valuable, and I would jump at the chance to do it again. I’m grateful for Rosie Sherry for letting me facilitate on behalf of Ministry of Testing (thats me being all corporate in the red MOT T-shirt); and to Michael for his time, knowledge and insight. Many thanks!

Rapid Software Testing Alumni – March 2016

TestBash Brighton 2016 – Workshops

So on to TestBash. The workshop day has been an event that has been introduced both through demand for rich learning opportunities in the testing community, also the Ministry of Testing’s desire to create an environment where that can happen. In the afternoon I was running my own workshop on proxy tools, which I will leave others to reflect on in public.

For my needs I like to balance the technical learning I get with more soft skills. It’s an area I have huge problems with. Technical learning is often a case of broad reading, practice and being open to developing the skills required. My personal route to developing a reputation as a ‘security expert’ has meant that I’ve had to focus hard on the technical skills, rather than developing other elements of what testing (and software development) can be.

Christina Ohanian (@ctohanian) and Nicola Sedgwick (@nicolasedgwick) ran their workshop “Connecting the Dots: Empowering people through play” in the morning session, and I have to say it has been one of the best professional decisions I have made attending this workshop.

Christina and Nicola are great proponents of the power of play to engage and develop people within the workplace. They have worked together at The App Business, and have developed a great rapport with both each other and the folks in the workshop.

Through a series of activities, both practical and thought provoking the group were encouraged to develop our thinking and learning to enable us to solve problems and adapt to change.

The activities were:

In a circle, we each gave our name and revealed a fact about ourselves. We then went round the circle again and had to recall the name and fact of each person in sequence. This was as much a challenge as it was an icebreaker. Memory is hugely at play here but it does fail you sometimes. Some names and facts were easier to remember tha others, perhaps because the were unusual. The rhythm and pattern of the sequence almost became second nature by the end of the game, so by the end we had all gotten to know each other through the confines of the activity.

Lego story boards – using an iterative process, we built a narrative story board, an then constructed the narrative in Lego. At various points in the activity, a new element was introduced, or a complication that meant we needed to replan and refactor our work. In short order, we discovered that our resources, imagine and ability to adapt was to be put to the test.

Project Jenga – the team were split into three groups, developers, testers and designers. With Nicola acting as a project manager, we were asked to design and build a mobile application to accompany the conference. Through discussion, we had to meet certain acceptance criteria, explore problems and risks. With each encounter we had to remove a block from a Jenga tower. With each move the risk increased that the project (or Jenga) would collapse. This activity allowed us to explore our questioning skills, as well as our empathy and co-operation with other teams.

Posters – in groups we were asked to design a poster for TestBash, using certain acceptance criteria. We then wrote a description of our poster which was then shared with the other team, who then had to draw a poster using our instructions, and vice versa. A fantastic activity that dug into our ability to analyse and interpret instructions and acceptance criteria, whilst engaging with the others in the team in a visual medium. We then compared each teams efforts to see which was closest to the desired product.

Nicola and Christina did a fantastic job. I said on Twitter that this was one of the most fantastic learning experiences I have ever had, and I meant it. I still have a lot to analyse and interpret, so that I can apply the learning practically in the workplace. Maybe we can use some of these activities or others to enhance our communication, our empathy and our ability to adapt.

TestBash Brighton 2016 – Conference

The conference day in hindsight was a bit of a blur for me. With all of my might I tried to concentrate on Lisa Crispin and Emma Armstrong‘s opening talk “Building the Right Thing: How Testers Can Help”. Unfortunately (or fortunately) I was up next on the bill, so I was a little distrcted trying to maintain focus on not collapsing in a heap. Lisa and Emma kicked off TestBash with a bang, with an insightful exploration on how testers can be the guiding light on projects, ensuring that not only teams do the job, but do right.

Lisa Crispin and Emma Armstrong

After the break, one of my favourite talks was Katrina Clokie‘s “A Pairing Experiment”. This talk described and explored how Katrina lead an developed pairing activities within her team at the Bank of New Zealand. When questioned on the challenge of convincing managers to relinquish team members for paired work, she responded that whilst they might be losing one tester for an hour a week, they’d be getting an extra tester for another hour each week. I’ve been lucky enough to see Katrina speak before about her work, and each time it’s been a revelation. She works hard to develop the testing at every organisation she has worked at, an beyond into the community itself. Great stuff!

Katrina Clokie

Up next was John Stevenson (@steveo1967). In his half talk/half conversation “Model fatigue and how to break it” he invited us to examine critically the models we use for testing every day.

He challenged us to reevaluate the models we use, cut them up, adapt the ones we find successful, combine them with other models, throw away ones we don’t use, create new ones if needs be. He challenges us to be diverse in our approaches to testing, no relying on this are models all the time. That way we can find out more interesting information about our testing. John is a great presenter, who engaged and enthused the audience, inviting them to through questions at him for he last 10 mins of his time on stage, rather than talk to the end of his time.

It’s something I can reflect on in my own day to day work, where we use a model to evaluate and plan our user stories the testing that is discussed in those stories. It has been adapted and changed over time to suit our needs, and I am sure will be changed or even chucked away if it doesn’t suit our purpose in the future.

John Stevenson

Later on in the day we heard from Patrick Prill, in his debut talk ” Accepting Ignorance – The Force of a Good Tester”. He led us in a discussion of how ignorance is not necessarily a wilful lack of knowledge, but just an absence of knowledge. That developing through understanding where our ignorance exists, we can develop our knowledge. It’s a huge force for change in testing. This is the gap between what we know, and what we don’t. The reflection on that upon our work as testers is where this talk had its greatest impact.

Where Patrick was not an experienced speaker (you wouldn’t know that from his talk), he utilises his many years of testing experience in Germany, the problems both cultural and technical that he encounters in his work which gave his talk huge insight.

Patrick Prill

After lunch we had our guest speaker, Grammy award winning singer (and tester) Michael Wansley (@teewanz) give us a highly entertaining, somewhat controversial but engaging talk “Test/QA A gatekeepers experience”. Testers as gatekeepers is not a very popular paradigm amongst the vocal members of the (particularly) context driven testing community. But within the wider view of testing as a process that is involved in developing and selling products, gatekeepers are often what testers and testing are perceived as.

It’s a popular view (one that I subscribe to) that testers should be information providers, learners, investigators but not necessarily decision makers about whether software ‘goes live’ or not. We may be part of that decision making prcoesses, but not the arbiter of it.

It’s within this context that I have a certain amount of empathy with Michael’s experience of working on a number of iterations of the Microsoft Windows operating system. He understands that testing cannot exist in a vacuum, where there isn’t recourse to customers, managers and Vice Presidents, or consequences of screwing up. His talk did (quite rightly) invite comment, and Michael stood up for his view honestly and with vigour. Whether you agree or disagree with his view, that should be applauded.

Michael Wansley

Zachary Borelli introducing Michael Wansley

After that it was “Having all your testers code: It doesn’t have to be a big deal” by Anna Baik (@TesterAB) and Andrew Morton (@TestingChef) on the challenging task of ensuring all testers contribute to the automation strategy at Brightpearl. Now I have to give some personal interest here, as not only are Anna and Andrew friends of mine, they are also former colleagues of mine from my time contracting at Brightpearl in Bristol.

It’s a fast paced, highly charged environment of great development and testing across the business. I was tasked with testing integrations between the Brighpearl service and a number of third parties. I didn’t get too involved on the automation side of things, but I do know what a challenge it was to implement.

This was I think for many a challenging talk to follow, as the style was unusual (no slides), but the content was highly pertinent and valuable to many teams now trying to grow and mature their testing capabilities and automation strategies.

Anna Baik and Andrew Morton

As a tester who too often focuses on the technical rather than human elements of testing, the next talk turned out to be my absolute favourite of the day. “Do testers need a thick skin, or should we admit we’re simply human” by Nicola Sedgwick (@nicolasedgwick) was a bold and brave exploration our ability to communicate, or failings as testers to sometimes not recognise problems not with software but in ourselves.

One of the key aspects of this talk was our response to stress, how it compounds upon other stress. Where there is a lack of challenging activity, or work we care about can lead to either boredom or even more stress. Some of my close friends in testing know that the last couple of years have been difficult for me, professionally and personally, and for this reason this talk really resonated with me. Nicola challenged us to ask what kind of tester we were. Well, I’m not sure I can answer that question yet, but I’ll be one that never forgets that humans are fallible, in a world that increasingly looks to punish those who fail to realise that.

Nicola Sedgwick

So to the final talks of the day – next was my friend and mentor Bill Matthews (@bill_matthews) who introduced us to the concept of Smart Algorithms. The maths and logical flows that allow systems to learn, recognise patterns and process data based on a wide range of inputs and variables. He challenged us to examine the potential testing concerns that might arise from working within such applications – a really complex problem which Bill was able to present with humour and deep, practical knowledge. I have to add here, that with glasses I am a Golden Retriever, but without I am a German Shepherd.

Bill Matthews

And finally…Nicola Owen (@NicolaO55) also from New Zealand, but recently relocated to Sweden to work with the great folks at House of Test. In “Nowhere to hide: Adjusting to being a team’s sole tester” Nicola guided us through two case studies were she was the sole tester on two very differs projects. She reflected upon her experience with great depth, clarity and insight, what she learned, her developing confidence and skill. In one case study she felt insulated from the problems that software development teams encountered, and in the other far more exposed as the sole tester. In each she presented how she approached each problem and dealt with it head on. Another awesome talk, to round off the day.

Nicola Owen

So to round off the proceedings, our host Vernon Richards (@TesterFromLeic) and his able assistant Mark Tomlison (Mark Tomlinson) lead us into a round of always amazing 99 second talks. This is the first time I have not done a 99 second talk, so it was refreshing to just sit back and enjoy. Highlights for me were Emma Keavney’s rap (@EmJayKay80) and Deborah Lee’s sit in (@DeborahLee89). Also a special mention to the new Software Testing Clinic (@TesterClinic) announced by Mark Winteringham (@2bittester) and Dan Ashby (@danashby04), which I hope to get involved in soon! Well done to all involved. A great potential showcase for future speaking talent I hope.

Mark Winteringham and Dan Ashby from Software Testing Clinic

Deborah Lee

Emma Keavney

So, to wrap up, TestBash 2016 I felt was an enormous success, both from a personal point of view, and in terms of the rude health of the conference. Rosie has done a great job again this year, and I hope to be involved again in future.

This is the first in a series of posts on my experiences of RST and the TestBash conference this week.

I’m on my way to Brighton today, to facilitate Rapid Software Testing, led by Michael Bolton. I’m nervous about that, but I’m more nervous about this.

My day is off to a great start. Overslept by 30 minutes, I need to wear my layers rather than pack them, and my train into Brighton is cancelled.

Bus replacement service to Eastbourne

So, to anyone who travels regularly on the British transport network, you’ll be familiar with the phenomenon that is the bus replacement service.

The bus is full, and I’m sat in the jump seat next to the driver, having picked up everyone from Hastings to Eastbourne on the way. There are probably many buses and bus drivers doing similar work across the country. (Subsequent seat moves to allow an elderly lady to sit down, and I’m now on the train from Eastbourne to Brighton, via Lewes.)

It makes me think of the services we test, when they are non performant or under stress. What do systems do when they are under heavy load, or a link in the chain is broken? How do you monitor and check that the system is performing as it should?

Clearly a system of checks and monitoring have come together to arrange this bus I’m travelling on. Service performance was seen to be dysfunctional due to a systems failure, so an additional service was put in place to pick up the slack.

What can testers learn from this?

Well, my first observation is to consider what your weak areas are. Is it the infrastructure, the application or the connectivity between systems? Do you know why they are weak, or can you improve or replace them.

As I’ve seen today, a replacement or temporary service isn’t necessarily better or more comfortable, but it is getting where I need to go.

I could have easily waited to get a lift from my Mum, but she was off conducting her own business elsewhere. I would still get there, but maybe not on time.

What monitoring do you have in place?

Monitoring isn’t just for your operations teams. At NewVoiceMedia, the DevOps team use all sorts of tools to allow us to keep an eye on performance, load, volume, through put, page impressions, browser usage as well as where any breaks in our systems might be.

It’s hugely important so we can adapt to problems, or see them off before they become issues to our customers. Peak times (like the rush hour on the transport network) are one of the main concerns.

Why is this a problem for testers?

Well, it isn’t a problem really. It’s more of a change of mindset. As organisations have to change and evolve to meet customer needs, testers need to adapt too.

Testers can and should be more aware of the wider needs of customers who need to use performant systems, rather than just having a narrow focus on the applications only.

We should be clear and concise in our communications, and be involved in the decisions that underpin our systems.

Why?

Well, in a DevOps organisation everyone has to muck in and get their hands dirty. Sure, there are people with specialist roles and positions of responsibility. But I see testers as the glue that holds systems together. We can get involved at any point, and not just on the application layer.

More and more will be expected of testers as organisations change to meet customer need, and we will have to meet that challenge.

So…RST

I’ve been wanting to do this course for years. And by chance, luck or fate I have the opportunity to do so now. I’ll be facilitating, so my priorities will be on the needs of Michael and the group, rather than my own.

It’s going to be a huge challenge, and like the needs of any complex system I will need to adapt.

I like to ask a lot of questions, but I anticipate a need to allow the group to generate those questions rather than myself. I’ve been told in the past that I can sometimes “not shut up” or “meander” during groups discussions.

It’s taken a lot of time and mindful thinking to try and control my natural instincts to ask questions or share knowledge, where others might not be willing, unable or be nervous. And I need to be be aware of that for the next three days.

Hey testers. It’s been a while since I have blogged last. This has mostly been because of such a massive workload, but also various personal events taking place. I normally blog when either I feel that I have something to share, or if I have a reaction to something I have learned – such as on this occasion.

CAST2015 – The Conference of the Association for Software Testing is running as I type this, from Grand Rapids, Michigan, USA. This is the first year I have been able to monitor the live stream. This is a fantastic service, offered to allow folks who aren’t attending to listen, watch and take part (via Twitter).

I want to reflect first on yesterday’s opening keynote speech by Karen Johnson entitled “Moving Testing Forward”. This was a very personal exploration of her career, learning and life; much of which resonated with me.

#CAST2015 If you don’t factor in your personal obligations, something will suffer: home & work have to co-exist somehow.

This is something I have sometimes had issues with in the past, and sometimes with great detrimental effects. Without going into too much detail, I’ve been places where I have been unable to establish good working relationships, or had personal problems intrude on my working life and vice versa.

The work/life balance has always been a hard road to travel. Family, friends and other personal commitments should take priority. Whilst I was building my career often that wasn’t the case, and my personal life suffered.

I also made possibly poor choices, but yet choices that have ultimately gotten me to where I am now – a great role, testing, learning, working with great people at an exciting business. A business that does it’s best to support its employees when they have personal issues and gives them breathing space and learning opportunities to be able to craft and shape their own careers. I am very lucky.

Secondly, I’d like to reflect on the keynote from the second day by Ajay Balamurugadas, entitled “The Future of Testing”. I haven’t met Ajay yet, but I feel that I know him through his work.

As a facilitator at Weekend Testing Europe we are part of his vision to provide great learning opportunities for the entire testing community. This tweet from Maria Kedemo sums up this attitude succintly.

A long time ago I did not feel empowered at all to learn for myself. I felt that all my learning needed to come from my employer, be paid for by my employer, if they were ultimately to benefit from it. Employers invariably are businesses with their own priorities and concerns – not necessarily with the personal learning and welfare of their employees.

As Ajay said, not being able to afford to go to conferences or attend courses should never be a blocker to learning. We have blogs, books, free webinars, meetups and tester gatherings, brown bags, Skype sessions on Weekend Testing, and any number of other roads to learning.

I had an epiphany on this several years ago. I was never going to get to where I wanted to be – be a home owner, clear my student debt, start a family If I didn’t take control of that learning. So I read blogs, I joined the Software Testing Club, I started looking at the work of other testers I had heard about, I even started implementing some of their approaches and techniques. All great learning.

But to take that further and on to the next stage, I had to get away from companies that didn’t support that approach to learning. I decided to go freelance, and this I have done for about 4 years or so. Now being at New Voice Media has allowed me to expand that learning into avenues that I hadn’t thought possible, exposing me to thinking and choices that may take me away from testing to focus on security, as I do at the moment.

It’s been a week since I have returned from Tallinn and the Nordic Testing Days conference, which has again been brilliantly organised and executed by Grete Napits and her wonderful team in Estonia. Helena Jeret-Mäe led the curation of this years content alongside her colleagues, and without doubt the organising team had certainly raised the bar again.

Santosh Tuppad, Rob Sabourin and Helena Jeret-Mäe out in the Old town of Tallinn

There were speakers from almost all corners of the testing globe, from Canada, UK, Australia, New Zealand, India and of course Estonia. A fantastic achievement! As a result of this breadth and depth of testing talent, it was hard to choose whose talks and workshops to go to, but choose I did.

Warming up

The hospitality and warmth of the conference, and Tallinn is evident. It began with an impromptu walk round the old town with Helena and a whole bunch of other great testers. The amazing architecture, the views from the city walls and the discussion made for a fantastic evening.

Relaxing with the Friendly Tester – Richard Bradshaw

Snap happy! Rob Lambert

But first on to the tutorial days! Bill Matthews and I had already run “Exploring App (In)security” at Let’s Test the previous week, and without a doubt we had learned from that experience. So, we aimed this time to rebalance the session to make it much more interactive and practical at the outset. Many of the challenges of security testing come not only from understanding the threats to applications and therefore businesses, but also understanding how those threats can be translated into real world vulnerabilities, which attackers can then exploit.

Bill Matthews – telling it like it is

Bringing forward those experiences in early, so the attendees were doing practical exercises from the beginning was our primary goal for the day, so that they got the most out of Bill and I, the material we produced and the learning they could elicit from the discussion.

Again, we started out with an exploration of the application under test, but then we burst straight into a group threat modelling exercise!

Threat modelling with these budding new security testers!

After that, all the testers broke into small groups and pairs as we all found ways to exploit the threats we modelled, by exploring the vulnerabilities that might lurk under the covers.

Pairing up with Katrina Clokie (and another tester whose name I can’t remember, sorry)

It was a long and exhausting day. Bill and I were rarely off our feet. We had a great time working with all these fantastic testers. One or two have even got in touch since to ask follow up questions and look for further study. Very encouraging and inspiring! It’s also inspiring me to do a whole lot more in 2016!

On to the first day of the conference proper, and following an interesting keynote by Mart Noorma on the Estonian contributions on space exploration and technology, I had my first major decision to make.

Spinning up your own influence

Katrina Clokie’s workshop “Become someone who makes things happen” was one of the highlights of the conference for me. In this workshop we were challenged to make sense of what our problems are in terms of making an impact on our teams, and influencing the decision making process.

Communicating our beliefs, needs and thinking is a huge problem for testers. I often have issues on influence myself, as I have explained in this blog post: The MEWTation of Communication. So, Katrina’s workshop really resonated with me because of that. We usually worked in pairs or small groups, working through scenarios where our sales skills specifically would be challenged – selling our own ideas, thoughts, and needs in testing.

Katrina Clokie – Become someone who makes things happen

Katrina referred to SPIN (Situation, Problem, Implication, Need) is a sales methodology that focusses on the needs of a customer, and attunes their offerings based on a mutually agreed solution. The problem here is not necessarily getting another person to recognise that the situation you have identified is a problem, that needs resolving, but also the impact to the person you are working with.

For testers there are always scenarios where this technique, and others like it, would be useful. Communicating your thoughts and feelings on acceptance criteria, resolving issues surrounding test planning and estimation, ensuring that you have effective resources and tools to do your job, bug advocacy – the list is endless.

Katrina encouraged us not only to explore the feedback we received, but also attitudes and feelings. Whether you are respectful and caring to those you work with, the difference between aggression and assertiveness, asking the right questions at the right time and using non verbal queues can all have an impact on your influence and ability to get things done.

This was a fantastic workshop that drew the best out of everyone in the room, both new to testing, experienced and hands on, and managers too!

Testing? Thats insanity!

Next up for me was Santosh Tuppad. His energy and enthusiasm for his craft was tested to the full, as Santosh lead us through a beautiful and colourful journey, as he became inspired to begin his own journey by starting Test Insane, his own exploratory test consultancy.

Santosh Tuppad from Test Insane

The great thing about conferences of any sort is that it can bring people together. Santosh and I have been in touch for many years now, but we have never met until we came to Nordic Testing Days. It’s like we have been friends for years, so a warm hug was in order, for this strong man had traversed continents to come and speak for an hour! However his love of testing and learning permeated the social side of this conference completely.

The impressive thing about this talk though was not just Santosh’s clear love of testing as a craft, but also his contribution to the wider community. Sure, Test Insane is a consultancy, but much of the material, tools, mind maps, and papers his team produce are shared across the board – for free! A valuable resource indeed, and Santosh and his team are a very valuable addition to the testing community.

Neil came across with a confidence that belied both his nerves and trepidation at speaking for the first time. He not only talked about the drivers to establishing an exciting and dynamic learning community for testers online, which was the main thrust of his talk – but also some of the psychological thinking that was involved in that process.

Neil talked about the imposter syndrome – where people who are extremely skilled and competent in their chosen field, and yet still feel as if they are frauds, not deserving of acclaim, attention or feel their achievements are of any worth. I think that this is a phenomenon that a lot of people encounter – only the most arrogant of people wouldn’t question themselves occasionally.

However, I feel that this is something that Neil should have no issue with. He is a highly skilled and intuitive tester, with a great breadth and depth of knowledge, and he expresses it well.

Neil’s story is a shared story however, and with Amy Phillips, and their journey to bringing back to life the Europe chapter of Weekend Testing. My involvement in that is a footnote in this story, but I hope to be very much of its future.

Gaming the system

Next up was Kristoffer Nordström and his talk “Gamification – How to Engage Your End Users”. Kris is another tester that I have known about for a while, but had neither met not seen speak. Another great opportunity to learn from someone new.

Kris’ talk was a fascinating exploration of using gamification to encourage the teams he worked with to not only produce great work, but enjoy doing it. By using elements of game thinking and mechanics, developers and testers on his teams were able to contribute to the product by finding bugs and fixing code; and were encouraged to do so by earning points (and points mean prizes).

Kris’s Moomins on tour in Tallinn

Here lies the problem that Kris elaborated on. How do you get people to want to work on code and bugs, but to not want to do just because they are going to earn prizes for their efforts. It’s a complex balance to strike. Renumerating them enough, with branded, high quality pencils, mugs and t-shirts; AND trying to make it fun and exciting for the dev teams.

Kris even gamed the talk, with attendees playing bingo, trying to pick out the key words from the talk. I think I would need to spend some more time with Kris to get more of a handle on this topic, as it is an interesting one. I’ve had to use similar techniques during my time as a trainee teacher and Scout leader to help children become more engaged with activities – collecting stars or badges for examples. Great stuff!

Valuable lessons

Like the rest of the conference, this keynote was another one full of firsts. Rob Sabourin is another tester who I have never met, but had heard many interesting things about. His talk ‘Value Sync’ was an exciting and dynamic discussion about what we value as testers, what people on projects and teams value, and what our stakeholders and customers value – and seeing the relationships between those values.

Rob Sabourin – Value Sync

Rob’s main point was whether the conflicts in these values could be resolved, where one person values low cost over quality, or speed to market over market saturation. There are a lot of elements to balance in teams, organisations and businesses; and testers have a part to play here in expressing what they value, and ensuring that the needs of stakeholders are also met by their testing.

It was a great ending to a long hard day of learning, networking and testing! But it wasn’t over yet.

Lightning in a bottle

So, there was a big sheet of paper on a pillar in the conference lobby – Lightning talks 9pm! I was tired, but there was so much energy in the room. Bill Matthews had already pressed ganged me into speaking – 5 mins of talk + Q&A. So, I contributed the short talk I did at MEWT and compressed it down…trying to pull out the salient points – about how personal identity and problems surrounding being a ‘geek’ in the workplace affects communication and influence.

In the past I have been a 9 to 5 tester, getting to work, doing my work competently, going home. That’s ok! There is nothing wrong with that. I had other interests and needs – I was in a new relationship and/or recently married, or I was playing in my gaming clan. Later, in 2007 I found other interests and got in to Scouting in a big way, which takes up a huge amount of my time. It didn’t stop me wanting to be a better tester, I just didn’t go to many meetups or do much reading, and certainly no conferences. As I have encountered various family crisis recently, I have scaled back my Scouting to focus on those, but my engagement with the testing community has filled quite a lot of that void; and it has been very rewarding.

A lot of this has to do with a number of factors – and one of the major ones for me was working in an environment that allowed me to be the kind of tester I wanted to be. Some of the companies that I have worked with have been less than supportive about attending conferences, worrying about the cost and the value to the business (perfectly valid considerations, I might add). Sometimes, if they allowed it, they specified the kinds of meetings to go to, rather than the testers choice. I don’t think I went to my first meetup until around 2008/9, almost a decade into my career.

I raised a question – ‘isn’t this about bad testers?’ not whether you spend every waking hour testing? It’s a different question, and not one we focussed on. Bad testing is not the same as being someone who doesn’t want to do testing or talk about testing in their spare time.

Neil also talked about introverted behaviours and how they might be a blocker to getting people engaged. It’s a complex problem, and not one easily solved. Except that creating a safe space for learning, either physical or not, that allows anyone to learn at their own speed and their own time can only be a good thing.

Rob Remaining Relevant

Friday morning brought new experiences and new challenges, namely watching Rob Lambert’s opening keynote on the second day of the conference. “Why remaining relevant is so important” reflects on the fast pace of change needed in businesses and services, and our place within that change. Do we sit on our hands and do nothing to meet that challenge and let opportunities pass us by, or do we skill up and start adding lots of value to our teams and businesses.

Ten Behaviours – with Rob Lambert

Whilst it may seem to be basic to talk about how you can remain employable, it talks a lot more to ensure you remain valuable to your team, and continue to be valuable throughout. It’s a challenge we face every day, not only as testers, but as members of a wider development organisation. And ALL of what Rob talks about in this talk is valuable to everyone, not just testers. One of the main points here I took home was adding skills. Add as many skills as you can, become good at them – it might be coding, or using a particular tool, or being knowledgeable about a particular testing approach, or domain knowledge in your organisation. These ALL add value!.

I’d like to reflect further on these points in due course, but it would take too long here to discuss. However I would say this. Rob’s book “Remaining relevant and employable” is a great read. I read it in one sitting by the pool in the Canary Islands, and was one of the main reasons I decided to take a permanent role at New Voice Media. I’ve told this to Rob myself, and I don’t mind telling you now.

Preaching to the unconverted

Lastly, before I wrap up, I wanted to say a word about Katrina Clokie’s talk, which was a last minute substitution to the programme. “Sharing Testing with Non-testers in Agile teams” was a fantastic case study on how Katrina went into a business with little or no testing, little or no agility and was expected to give them all that in a 90 minute training session.

Super sub – Katrina Clokie

Katrina’s experience here was an expression of a depth of knowledge and skill, but also patience, timing, communication, tact and learning. Something we all should pay heed to.

Fantastic Revelations, Amazing Revelations

I’m not going to write much about my own talk “The Testing of Fear” here. I can’t really reflect on this easily in public. Giving this talk was emotionally difficult for me. I had practiced the talk before, at meetups in the UK. All the talks went well.

Due to the unfortunate and untimely death of an early mentor in my career, Adrian Smith, I changed the initial few slides late the previous night. Adrian was important to me, not least because he helped me get my first step on the ladder. His encouragement, leadership, skill and fortitude was an example to all who met and worked with him.

I went to his funeral this afternoon, and I learned a lot about him. As a lad he learned to be a butcher in his home town. He was a Royal Marine Commando, and served his country on many occasions. After leaving the Marines, he served as a police officer, where he met his late wife Deena. After that, he began a largely self taught career in IT – project and people manager, developer, tester, architect, DBA – almost everything you could think of, he could do! We all respected him and loved him. His funeral service this afternoon reflected that, as many of his friends and colleagues joined his family to celebrate his life today.

He was an agent of change – no fear of that.

Farewell…but not goodbye

Nordic Testing Days 2015 was an intense three days of learning and development for me. I hope to be privileged enough to attend again next year, and for years to come. It is a dynamic and exciting conference, with a wide breadth and depth of excellent testers and experiences. I know it will go on being that way! I can’t wait for 2016!

Crunch time. Day 2 comes and so does the Exploring App (In)Security workshop alongside one of my most important testing mentors, Bill Matthews.

We had been planning this workshop for some time, and we really wanted to make this work for the attending delegates. Bill had pulled out all the stops to create a really brilliant learning resource in the Ace Encounters web application, and together we planned the learning objectives we wanted to achieve.

Our aim was to provide a safe learning environment where the delegates could learn about security test design techniques, the key vulnerabilities in web applications and how to exploit them. It was also our intention to elicit discussion around these issues in the context of software testing, rather than hacking.

Bill Matthews in Action!

There were lots of great opportunities for Bill and I to learn as well, feeding off the needs of the attendees, and also their experiences. It’s the best way for us to get better at presenting the content, making it more relevant and exciting for everyone. Here are some photos of the day, where we got to work with some really great testers!Let’s Test is famous for it’s more social activities. You can’t go far from the conference venue, as it is in the middle of nowhere. So, we all have to create our own entertainment.

As Day 2 drew to a close and after a great chat with some awesome people in The Test Lab, a few of us retired to the games room – ostensibly to play pool, but as always things descended into testing games and chat!

This is part of the attraction of Let’s Test, where you can just hang out, with a few beers (or whisky in our case) and talk about test, the universe and everything.

Chris Chant, Dan Ashby and Phil Quinn

On to Day 3, which was again a fantastic day of learning. This conference was my first chance to speak to many testers that I had admired and followed for sometime – such as Patrick Prill – @testpappy on Twitter. I hooked up with Patrick, Christina Ohanian and Dan Ashby at lunch time, and we did an impromptu recording of Testing in the Pub! I can’t wait for that episode to come out.

Patrick Prill

The morning lead me to more facilitation responsibilities, this time trying to manage the events at Jean-Paul Varwijk’s very well researched presentation and debate on the proposed ISO 29119 standard.

It wasn’t my job to get involved so much in the debate, but ensure that all the participants of the meeting at least got a chance to take part (If they wanted to) and ensure there was some sort of order to the questions, follow ups and burning issues being raised.

There was a lot of passion in the discussion. Clearly this issue has sparked much interest and concern within the context driven testing community. My main issue however that there was no real moderate or conflicting view arising from this discussion – most if not all people who spoke up had little that was positive to say about the proposed standard, or opposed it out right.

Still, Jean-Paul had presented a tonne of material he had researched and gathered over time, and presented a cogent argument in as balanced a way as he possibly could. All in all, I am glad I volunteered for this session, as it allowed me to see testers debating in action!

Jean-Paul Varwijk

Without doubt the highlight of Day 3 for me though was the fantastic session “Coders to the Left” lead Jan Eumann and Philip Quinn. This workshop encouraged us to work in pairs and small groups, with each activity with a different focus, for example working as a tester, developer or observer.

They had created an excellent resource for learning via a GitHub project called Fixture Finder. It essentially allowed you to search football match fixtures, using date and country as search criteria. More than that though, the workshop allowed us to explore what working like a developer might be like – and it was a challenge.

Rather than just finding bugs, we would isolate the cause and fix it on the fly, within our own instance of the app in Chrome. There were some very interesting bugs to find, such as blatant security flaws, or little bits of code that stripped search results from the list, or tampered with the results of football matches under certain conditions.

I know a bit of code. Not so much that it would allow me to call myself any kind of developer. I can use code, and other tools to help me solve testing problems. However this activity really did let us get to grips with how testers and developers can really work well together, reducing and improving the feedback loop as we test and code together. A brilliant exercise in collaborative learning.

Jan Eumann and Phil Quin

Anders, Dan and me pairing up

So, as my first experience of Let’s Test draws to a close I want to reflect on what has been a most rewarding and exhausting experience in equal measure. The learning from the workshop I ran helped us feed this learning into the following session at Nordic Testing Days, yet it made me realise that I don’t really blog much about security. I should rectify that.

Let’s Test allowed me to engage deeply with my personal approaches to testing, and what I value about myself as a human being. The impromptu chats, podcast recordings, Reiki healing workshops with Dawn Haynes, the testing games, workshops and talks I attended all helped with that. I do attend to go again, as it is such an intense and engaging place to be.

It is now almost a week since I arrived at Let’s Test near Stockholm in Sweden. I had heard a lot about Let’s Test, not least from my Weekend Testing colleagues Amy Phillips and Neil Studd. It was there this time last year that they decided to restart the Europe chapter. I had also heard a lot of good things about the conference from others in the community, all of which were overwhelmingly positive. So, as I recall my feelings and trepidations about attending and working at Let’s Test, I do it now with a renewed vigour regarding my career and learning.

The venue, nestled in a Swedish rural idyll on the Baltic coast close to Stockholm, is the perfect place. To say that it is beautiful is an understatement. The conference centre has the perfect combination of location and facilities that create a fantastic environment for learning, and of course, the socialising! After all, the conference is organised for testers, by testers.

In addition to this challenge, I was not only running a workshop on security testing with Bill Matthews (more on that later) but I had also volunteered to be a facilitator. This meant that the workshops or talks I had volunteered for, I had to assist the speaker as much as possible with setting up and equipment, generally being a gopher for them. During the “Open Season” portion of the sessions, facilitators had to manage all the questions fielded by the attendees. The conference organisers had given us all K-Cards, to allow us all to take part fairly in the discussions. If you want to know more about K-Cards, check out this blog by Paul Holland – The history of K-Cards

Ben Simo – “there was not a breach, there was a blog’

Day One

The opening keynote was in a word, fantastic!

Ben Simo is a tester that I have been following for some time. His experiences and learning from attempting to organise health insurance on for his family would have been hilarious, if it hadn’t been so serious. “there was not a breach, there was a blog” was a fascinating journey through the issues and problems surrounding the release of healthcare.gov, the US Government website and initiative more popularly known as Obamacare.

Not only were there many functional, usability and performance issues with this site upon release, but also a huge range of potential security vulnerabilities. At the time, Ben blogged about these issues, trying to make the government aware of the problems and ultimately found himself somewhat reluctantly being the subject of media interest.

Ben is an eloquent and humorous speaker, who is extremely skilled and knowledgeable about his craft. His experiences also reflect strongly upon my recently learning in the sphere of security testing and as a result, the most significant takeaway I had from this talk was the matter of ethics when reporting issues in live, public systems. Ben emphasises the need to constantly be aware of the ethics of testing, and not harming the site. All in all, a brilliant start to proceedings.

Next up was an exciting and challenging workshop run by Emma Armstrong – “Equipping you for the unexpected challenges of testing”. I’ve known Emma for a while, but I’ve never seen her speak or run a workshop.

Emma Armstrong -“Equipping You For the Unexpected Challenges of Testing”

Emma had created a huge range of resources and a challenging application for us to investigate. Emma’s workshop encouraged us to examine and use a wide range and techniques and thinking in order to solve a testing problem. I really love pairing and working in groups with others, so this workshop really resonated with me. There is no better way to learn than to learn from others, in practical situations.

One of the best takeaways I had from this whole conference was during this session. I was pairing with two other testers, one from Sweden, the other from Romania. We discovered that our cultural differences, and in turn our similarities, often drive our thinking while testing. It’s not often I get to pair with testers from outside the UK, so this was a fantastic experience.

Our backgrounds and values often will impact the way we think about testing, and the problems we uncover – for example – a “Title” field would be almost unthinkable outside the UK, yet in the UK to not to be able to select whether you were Mr, Ms, Mrs, Miss or even a Captain or Lord would be equally strange.

After lunch I attended a half day workshop run by John Stevenson – “A Journey towards self learning”. I was facilitating this session, so helping out John with logistics and cold beverages! Despite my responsibilities preventing me from taking many notes, this workshop was and extremely engaging exploration of our own learning.

John Stevenson – A Journey towards self learning

One of the major themes of the workshop was how constraints on information gathering can impact the quality of our learning and analysis of the information we gather. It can inform our opinions and how we apply values or biases to the learning we do.

One great example of this was a particular exercise. The group had to divide into three where each team had a particular task – discover as much as they could about the conference venue, with particular focus on the local flora. However each team had a major constraint imposed upon them – one was only able to use internet resources, another group could only use observations of the local environment, and the third could only speak to people at the conference venue. I went around with the third team to make sure the rules were adhered to.

The results were impressive and eye opening – whilst the team who had access to the web were able to gather a lot of data very quickly, they didn’t have the richness of data gathered by the other teams. It wasn’t easy for the other teams either, where it was fairly hard for team three to use information other than that gathered through word of mouth, as there was so much visual data to gather. Also, we were able to observe discrepancies and contradictions in the information that had been gathered. Its up to us as testers to be able to be mindful of our values and biases when analysing data, manage and work within constraints. John’s workshop was a fantastic way to engage with our own learning in an active and positive way!

All in all a fantastic start to an intense few days of learning! I’ll be blogging about day one and two over the next few days. Watch this space!

Posts navigation

Dan Billing

I'm a software test engineer of 16 years, currently working at Medidata.
I love testing, and all its wondrous variety. I like to help others become better testers by attending events, speaking, blogging and giving training.
Most of my current work focuses on testing strategy across the whole of the clinical trials suite that we build. This includes any kind of testing, from UI, API, performance, security, mobile etc. Whatever needs to happen.
I'm also building on the training, coaching and learning I've picked up elsewhere, and bringing that into my new team.
I enjoy running workshops and speaking, especially in the technical testing and security space; and to a lesser extent the psychology of what testers do.
Hopefully, It'll make me a better tester too!